Template:Dovecot:Main Page DirectorConf: Difference between revisions

From Open-Xchange
(Created page with "= Dovecot Pro Director Configuration =")
 
 
Line 1: Line 1:
= Dovecot Pro Director Configuration =
='''Dovecot Pro Director Configuration'''=
 
=='''Generic Settings'''==
 
'''protocols = imap pop3 smtp sieve'''
 
Protocols to enable.
 
'''verbose_proctitle = yes'''
 
Show state information in process titles (in “ps” output).
 
=='''Authentication'''==
 
See http://wiki2.dovecot.org/Authentication for more details.
 
'''auth_mechanisms = plain login'''
 
Enables the PLAIN and LOGIN authentication mechanisms. The LOGIN mechanism is obsolete, but still used by old Outlooks and some Microsoft phones.
 
'''auth_verbose = yes'''
 
Log a line for each authentication attempt failure.
 
'''auth_verbose_passwords = shall:6'''
 
Log the password hashed and truncated for failed authentication attempts. For example the SHA1 hash for “pass” is 9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 but because of :6 we only log “9d4e1e”. This can be useful for detecting brute force authentication attempts without logging the users’ actual passwords.
 
'''service anvil {'''
 
  '''unix_listener anvil-auth-penalty {'''
 
    '''mode = 0'''
 
  '''}'''
 
'''}'''
 
Disable authentication penalty. This is explained in
http://wiki2.dovecot.org/Authentication/Penalty
 
'''auth_cache_size = 100M'''
 
Specifies the amount of memory used for authentication caching (passdb and userdb lookups).
 
=='''LDAP Authentication'''==
 
See http://wiki2.dovecot.org/AuthDatabase/LDAP for more details. Note that a director proxy doesn’t need userdb configuration (unlike backends).
 
'''passed {'''
 
  '''args = /etc/dovecot/dovecot-ldap.conf.ext'''
 
  '''driver = ldap'''
 
'''}'''
 
This enables LDAP to be used as passdb.
 
The included dovecot-ldap-director.conf.ext can be used as template for the /etc/dovecot/dovecot-ldap.conf.ext. Its most important settings are:
 
'''hosts = ldap.example.com'''
 
'''dn = cn=admin,dc=example,dc=com'''
 
'''dnpass = secret'''
 
'''base = dc=example,dc=com'''
 
Configure how the LDAP server is reached.
 
'''auth_bind = yes'''
 
Use LDAP authentication binding for verifying users’ passwords.
 
'''blocking = yes'''
 
Use auth worker processes to perform LDAP lookups in order to use multiple concurrent LDAP connections. Otherwise only a single LDAP connection is used.
 
'''pass_attrs = \'''
 
  '''=proxy=y, \'''
 
  '''=proxy_timeout=10, \'''
 
  '''=user=%{ldap:mailRoutingAddress}, \'''
 
  '''=password=%{ldap:userPassword}'''
 
Normalize the username to exactly the mailRoutingAddress field’s value regardless of how the pass_filter found the user.
 
'''pass_filter = (mailRoutingAddress=%u)'''
 
'''iterate_attrs = mailRoutingAddress=user'''
 
'''iterate_filter = (objectClass= messageStoreRecipient)'''
 
How to iterate through all the valid usernames.
 
=='''Director Configuration'''==
 
See http://wiki2.dovecot.org/Director for more details.
 
'''director_mail_servers = dovecot-backends.example.com'''
 
This setting contains a space-separated list of Dovecot backends’ IP addresses or DNS names. One DNS entry may contain multiple IP addresses (which is maybe the simplest way to configure them).
 
'''director_servers = dovecot-directors.example.com'''
 
This setting contains a space-separated list of Dovecot directors’ IP addresses or DNS names. One DNS entry may contain multiple IP addresses (which is maybe the simplest way to configure them).
 
'''director_consistent_hashing = yes'''
 
This setting enables consistent hashing to director. This reduces users being moved around when doing backend changes. This will be the default setting in v2.3.
 
'''auth_socket_path = director-userdb'''
 
'''service director {'''
 
  '''fifo_listener login/proxy-notify {'''
 
    '''mode = 0600'''
 
    '''user = $default_login_user'''
 
  '''}'''
 
  '''net_listener {'''
 
    '''port = 9090'''
 
  '''}'''
 
  '''unix_listener director-userdb {'''
 
    '''mode = 0600'''
 
  '''}'''
 
  '''unix_listener login/director {'''
 
    '''mode = 0666'''
 
  '''}'''
 
  '''unix_listener director-admin {'''
 
    '''mode = 0600'''
 
  '''}'''
 
'''}'''
 
'''service pic {'''
 
  '''unix_listener pic {'''
 
    '''user = dovecot'''
 
  '''}'''
 
'''}'''
 
'''service imap-login {'''
 
  '''executable = imap-login director'''
 
'''}'''
 
'''service pop3-login {'''
 
  '''executable = pop3-login director'''
 
'''}'''
 
'''service managesieve-login {'''
 
  '''executable = managesieve-login director'''
 
'''}'''
 
All these settings configure the Dovecot director. They don’t usually need to be modified, except the TCP port 9090 may be changed. It is used for the directors’ internal communication.
 
You’ll also need to install poolmon (or equivalent) monitor script: https://github.com/brandond/poolmon 
 
=='''Dovecot Proxy Configuration'''==
 
See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy for more details.
 
'''login_trusted_networks = 10.0.0.0/8'''
 
Include Dovecot Proxy’s IP addresses/network so they can pass through the session ID and the client’s original IP address. If Open-Xchange is connecting to Dovecot Directors, it’s also useful to provide OX’s IPs/network here for passing through its session ID and the web browser’s original IP address.
 
'''lmtp_proxy = yes'''
 
Enable LMTP to do proxying by doing passdb lookups (instead of only userdb lookups).
login_proxy_max_disconnect_delay = 30 secs
This setting is used to avoid load spikes caused by reconnecting clients after a backend server has died or been restarted. Instead of disconnecting all the clients at the same time, the disconnections are spread over longer time period. (v2.2.19+)
 
'''#doveadm_password ='''
 
This configures the doveadm server’s password. It can be used to access users’ mailboxes and do various other things, so it should be kept secret.
 
'''doveadm_port = 24245'''
 
'''service doveadm {'''
 
  '''net_listener {'''
 
    '''port = 24245'''
 
  '''}'''
 
'''}'''
 
These settings configure the doveadm port when acting as doveadm client and doveadm server.
 
'''service smtp {'''
 
  '''inet_listener smtp {'''
 
    '''port = 24'''
 
  '''}'''
 
'''}'''
 
This setting configures the LMTP port to use.
 
'''service imap-login {'''
 
  '''service_count = 0'''
 
  '''process_min_avail = 4'''
 
  '''process_limit = 4'''
 
'''}'''
 
These 3 settings configure the imap-login process to be in “high performance mode” as explained in http://wiki2.dovecot.org/LoginProcess. The 4 should be changed to the number of CPU cores on the server.
 
'''service pop3-login {'''
 
'''service_count = 0'''
 
  '''process_min_avail = 4'''
 
  '''process_limit = 4'''
 
'''}'''
 
Enable high performance mode for POP3 as well (as explained above).
 
=='''SSL Configuration'''==
 
See http://wiki2.dovecot.org/SSL for more details.
 
'''disable_plaintext_auth = no'''
 
Should we allow plaintext authentication or require clients to always use SSL/TLS?
 
'''ssl_cert = </etc/dovecot/dovecot.crt'''
 
'''ssl_key = </etc/dovecot/dovecot.key'''
 
SSL certificate and SSL secret key files. You must use the “<” prefix so Dovecot reads the cert/key from the file. (Without “<” Dovecot assumes that the certificate is directly included in the dovecot.conf.)
 
For using different SSL certificates for different IP addresses you can put them inside local {} blocks:
 
'''local 10.0.0.1 {'''
 
  '''ssl_cert = </etc/dovecot/dovecot.crt'''
 
  '''ssl_key = </etc/dovecot/dovecot.key'''
 
'''}'''
 
'''local 10.0.0.2 {'''
 
  '''ssl_cert = </etc/dovecot/dovecot2.crt'''
 
  '''ssl_key = </etc/dovecot/dovecot2.key'''
 
'''}'''
 
If you need different SSL certificates for IMAP and POP3 protocols, you can put them inside protocol {} blocks :
 
'''local 10.0.0.1 {'''
 
  '''protocol map {'''
 
    '''ssl_cert = </etc/dovecot/dovecot-imap.crt'''
 
    '''ssl_key = </etc/dovecot/dovecot-imap.key'''
 
  '''}'''
 
  '''protocol pop3 {'''
 
    '''ssl_cert = </etc/dovecot/dovecot-pop3.crt'''
 
    '''ssl_key = </etc/dovecot/dovecot-pop3.key'''
 
  '''}'''
 
'''}'''
 
Dovecot supports also using TLS SNI extension for giving different SSL certificates based on the server name when using only a single IP address, but the TLS SNI isn’t yet supported by all clients so that may not be very useful. It’s anyway possible to configure it by using '''local_name imap.example.com {}''' blocks.
 
=='''Dovemon monitoring tool'''==
 
Dovemon is a backend monitoring tool for director hosts. It monitors backend responses and disables/enables backends if they stop responding. (Requires Dovecot v2.2.19 or later. For older versions use poolmon.)
 
Configuration file: /etc/dovecot/dovemon/config.yml:
 
'''loglevel: 4'''
 
'''syslog_facility: local5'''
 
'''director_admin_socket: /var/run/dovecot/director-admin'''
 
'''poll_imap: yes'''
 
'''poll_pop3: no'''
 
'''poll_lmtp: no'''
 
'''imap_ssl: no'''
 
'''pop3_ssl: no'''
 
'''lmtp_ssl: no'''
 
'''interval: 10'''
 
'''timeout: 3'''
 
'''retry_count: 3'''
 
logelevel:  0-4
syslog_facility: local5
*Syslog facility to use when logging
director_admin_socket: /var/run/dovecot/director-admin
*director-admin unix socket used for director admin communication. director-admin unix listener service needs to be configured in dovecot.conf
poll_imap: yes/no
*use imap connection to poll backend
poll_pop3: yes/no                                                                   
*use pop3 connection to poll backend
poll_lmtp: yes/no
*use lmtp connection to poll backend
imap_ssl: yes/no
*use ssl connection for map poll
pop3_ssl: yes/no
*use ssl connection for pop3 poll
lmtp_ssl: yes/no
*use ssl connection for lmtp poll
interval: 0-n
*poll interval in seconds
timeout: 0-n
*timeout in seconds for each poll
retry_count: 0-n
*number of failed polls before issuing HOST-DOWN for the backend
 
Test accounts file: /etc/dovecot/dovemon/test.accounts.yml
 
'''10.2.2.75:'''
 
        '''username: user0001'''
 
        '''password: tosivaikeasalasana'''
 
'''10.2.2.76:'''
 
        '''username: user0002'''
 
        '''password: tosivaikeasalasana'''
 
This file allows configuring a separate test account for each backend. The backend must be specified using the same IP address as what “doveadm director status” shows for it.
 
dovemon issues HOST-DOWN on backend upon 3 (retry_count in config) consecutive failed polls. And issues HOST-UP on backend upon first successful poll if backend is already marked down.
 
=='''OS Configuration'''==
 
The default Linux configurations are usually quite good. The only thing needed for large installations is to increase /proc/sys/net/ipv4/ip_local_port_range to provide more local ports in case they run out when proxying. For example “1025 65000” could be a good value to more than double the available ports. If this is not enough, you need to use multiple local IP addresses and list them in '''login_source_ps''' setting.

Latest revision as of 08:19, 18 March 2016

Dovecot Pro Director Configuration

Generic Settings

protocols = imap pop3 smtp sieve

Protocols to enable.

verbose_proctitle = yes

Show state information in process titles (in “ps” output).

Authentication

See http://wiki2.dovecot.org/Authentication for more details.

auth_mechanisms = plain login

Enables the PLAIN and LOGIN authentication mechanisms. The LOGIN mechanism is obsolete, but still used by old Outlooks and some Microsoft phones.

auth_verbose = yes

Log a line for each authentication attempt failure.

auth_verbose_passwords = shall:6

Log the password hashed and truncated for failed authentication attempts. For example the SHA1 hash for “pass” is 9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 but because of :6 we only log “9d4e1e”. This can be useful for detecting brute force authentication attempts without logging the users’ actual passwords.

service anvil {

  unix_listener anvil-auth-penalty {

    mode = 0

  }

}

Disable authentication penalty. This is explained in http://wiki2.dovecot.org/Authentication/Penalty

auth_cache_size = 100M

Specifies the amount of memory used for authentication caching (passdb and userdb lookups).

LDAP Authentication

See http://wiki2.dovecot.org/AuthDatabase/LDAP for more details. Note that a director proxy doesn’t need userdb configuration (unlike backends).

passed {

  args = /etc/dovecot/dovecot-ldap.conf.ext

  driver = ldap

}

This enables LDAP to be used as passdb.

The included dovecot-ldap-director.conf.ext can be used as template for the /etc/dovecot/dovecot-ldap.conf.ext. Its most important settings are:

hosts = ldap.example.com

dn = cn=admin,dc=example,dc=com

dnpass = secret

base = dc=example,dc=com

Configure how the LDAP server is reached.

auth_bind = yes

Use LDAP authentication binding for verifying users’ passwords.

blocking = yes

Use auth worker processes to perform LDAP lookups in order to use multiple concurrent LDAP connections. Otherwise only a single LDAP connection is used.

pass_attrs = \

  =proxy=y, \

  =proxy_timeout=10, \

  =user=%{ldap:mailRoutingAddress}, \

  =password=%{ldap:userPassword}

Normalize the username to exactly the mailRoutingAddress field’s value regardless of how the pass_filter found the user.

pass_filter = (mailRoutingAddress=%u)

iterate_attrs = mailRoutingAddress=user

iterate_filter = (objectClass= messageStoreRecipient)

How to iterate through all the valid usernames.

Director Configuration

See http://wiki2.dovecot.org/Director for more details.

director_mail_servers = dovecot-backends.example.com

This setting contains a space-separated list of Dovecot backends’ IP addresses or DNS names. One DNS entry may contain multiple IP addresses (which is maybe the simplest way to configure them).

director_servers = dovecot-directors.example.com

This setting contains a space-separated list of Dovecot directors’ IP addresses or DNS names. One DNS entry may contain multiple IP addresses (which is maybe the simplest way to configure them).

director_consistent_hashing = yes

This setting enables consistent hashing to director. This reduces users being moved around when doing backend changes. This will be the default setting in v2.3.

auth_socket_path = director-userdb

service director {

  fifo_listener login/proxy-notify {

    mode = 0600

    user = $default_login_user

  }

  net_listener {

    port = 9090

  }

  unix_listener director-userdb {

    mode = 0600

  }

  unix_listener login/director {

    mode = 0666

  }

  unix_listener director-admin {

    mode = 0600

  }

}

service pic {

  unix_listener pic {

    user = dovecot

  }

}

service imap-login {

  executable = imap-login director

}

service pop3-login {

  executable = pop3-login director

}

service managesieve-login {

  executable = managesieve-login director

}

All these settings configure the Dovecot director. They don’t usually need to be modified, except the TCP port 9090 may be changed. It is used for the directors’ internal communication.

You’ll also need to install poolmon (or equivalent) monitor script: https://github.com/brandond/poolmon 

Dovecot Proxy Configuration

See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy for more details.

login_trusted_networks = 10.0.0.0/8

Include Dovecot Proxy’s IP addresses/network so they can pass through the session ID and the client’s original IP address. If Open-Xchange is connecting to Dovecot Directors, it’s also useful to provide OX’s IPs/network here for passing through its session ID and the web browser’s original IP address.

lmtp_proxy = yes

Enable LMTP to do proxying by doing passdb lookups (instead of only userdb lookups). login_proxy_max_disconnect_delay = 30 secs This setting is used to avoid load spikes caused by reconnecting clients after a backend server has died or been restarted. Instead of disconnecting all the clients at the same time, the disconnections are spread over longer time period. (v2.2.19+)

#doveadm_password =   This configures the doveadm server’s password. It can be used to access users’ mailboxes and do various other things, so it should be kept secret.

doveadm_port = 24245

service doveadm {

  net_listener {

    port = 24245

  }

}

These settings configure the doveadm port when acting as doveadm client and doveadm server.

service smtp {

  inet_listener smtp {

    port = 24

  }

}

This setting configures the LMTP port to use.

service imap-login {

  service_count = 0

  process_min_avail = 4

  process_limit = 4

}

These 3 settings configure the imap-login process to be in “high performance mode” as explained in http://wiki2.dovecot.org/LoginProcess. The 4 should be changed to the number of CPU cores on the server.

service pop3-login {

service_count = 0

  process_min_avail = 4

  process_limit = 4

}

Enable high performance mode for POP3 as well (as explained above).

SSL Configuration

See http://wiki2.dovecot.org/SSL for more details.

disable_plaintext_auth = no

Should we allow plaintext authentication or require clients to always use SSL/TLS?

ssl_cert = </etc/dovecot/dovecot.crt

ssl_key = </etc/dovecot/dovecot.key

SSL certificate and SSL secret key files. You must use the “<” prefix so Dovecot reads the cert/key from the file. (Without “<” Dovecot assumes that the certificate is directly included in the dovecot.conf.)

For using different SSL certificates for different IP addresses you can put them inside local {} blocks:

local 10.0.0.1 {

  ssl_cert = </etc/dovecot/dovecot.crt

  ssl_key = </etc/dovecot/dovecot.key

}

local 10.0.0.2 {

  ssl_cert = </etc/dovecot/dovecot2.crt

  ssl_key = </etc/dovecot/dovecot2.key

}

If you need different SSL certificates for IMAP and POP3 protocols, you can put them inside protocol {} blocks :

local 10.0.0.1 {

  protocol map {

    ssl_cert = </etc/dovecot/dovecot-imap.crt

    ssl_key = </etc/dovecot/dovecot-imap.key

  }

  protocol pop3 {

    ssl_cert = </etc/dovecot/dovecot-pop3.crt

    ssl_key = </etc/dovecot/dovecot-pop3.key

  }

}

Dovecot supports also using TLS SNI extension for giving different SSL certificates based on the server name when using only a single IP address, but the TLS SNI isn’t yet supported by all clients so that may not be very useful. It’s anyway possible to configure it by using local_name imap.example.com {} blocks.

Dovemon monitoring tool

Dovemon is a backend monitoring tool for director hosts. It monitors backend responses and disables/enables backends if they stop responding. (Requires Dovecot v2.2.19 or later. For older versions use poolmon.)

Configuration file: /etc/dovecot/dovemon/config.yml:

loglevel: 4

syslog_facility: local5

director_admin_socket: /var/run/dovecot/director-admin

poll_imap: yes

poll_pop3: no

poll_lmtp: no

imap_ssl: no

pop3_ssl: no

lmtp_ssl: no

interval: 10

timeout: 3

retry_count: 3

logelevel:  0-4 syslog_facility: local5

  • Syslog facility to use when logging

director_admin_socket: /var/run/dovecot/director-admin

  • director-admin unix socket used for director admin communication. director-admin unix listener service needs to be configured in dovecot.conf

poll_imap: yes/no

  • use imap connection to poll backend

poll_pop3: yes/no                                                                   

  • use pop3 connection to poll backend

poll_lmtp: yes/no

  • use lmtp connection to poll backend

imap_ssl: yes/no

  • use ssl connection for map poll

pop3_ssl: yes/no

  • use ssl connection for pop3 poll

lmtp_ssl: yes/no

  • use ssl connection for lmtp poll

interval: 0-n

  • poll interval in seconds

timeout: 0-n

  • timeout in seconds for each poll

retry_count: 0-n

  • number of failed polls before issuing HOST-DOWN for the backend

Test accounts file: /etc/dovecot/dovemon/test.accounts.yml

10.2.2.75:

        username: user0001

        password: tosivaikeasalasana

10.2.2.76:

        username: user0002

        password: tosivaikeasalasana

This file allows configuring a separate test account for each backend. The backend must be specified using the same IP address as what “doveadm director status” shows for it.

dovemon issues HOST-DOWN on backend upon 3 (retry_count in config) consecutive failed polls. And issues HOST-UP on backend upon first successful poll if backend is already marked down.

OS Configuration

The default Linux configurations are usually quite good. The only thing needed for large installations is to increase /proc/sys/net/ipv4/ip_local_port_range to provide more local ports in case they run out when proxying. For example “1025 65000” could be a good value to more than double the available ports. If this is not enough, you need to use multiple local IP addresses and list them in login_source_ps setting.